Difficult to figure how configure --api=x.y.z vs OPENSSL_API_COMPAT behave
Yann Droneaud
ydroneaud at opteya.com
Fri Mar 11 17:43:56 UTC 2022
Hi,
I have hard time figuring how to use --api=x.y.z regarding
OPENSSL_API_COMPAT define.
https://github.com/openssl/openssl/blob/openssl-3.0.1/INSTALL.md#api-level
https://www.openssl.org/docs/man3.0/man7/OPENSSL_API_COMPAT.html
Say I have #define OPENSSL_API_COMPAT 0x010101000L in one file and want
to compile it against OpenSSL 3.0.1 configured with --api=1.1.0,
I would have expected OPENSSL_API_COMPAT to ask for API 1.1.1 to be
available, and --api=1.1.0 to ask for APIs 1.1.0, 1.1.1, and 3.0 to be
built in OpenSSL.
But this doesn't work as I expected.
$ git describe
openssl-3.0.1
$ ./Configure --banner= --api=3.0 && make -s build_generated && gcc -E
-x c /dev/null -I include -DOPENSSL_API_COMPAT=0x010101000L -include
"include/openssl/opensslconf.h" -o /dev/null && echo "***success***"
Configuring OpenSSL version 3.0.1 for target linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile
*** SUCCESS ***
$ ./Configure --banner= --api=1.1.1 && make -s build_generated && gcc -E
-x c /dev/null -I include -DOPENSSL_API_COMPAT=0x010101000L -include
"include/openssl/opensslconf.h" -o /dev/null && echo "*** SUCCESS ***"
Configuring OpenSSL version 3.0.1 for target linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile
*** SUCCESS ***
$ ./Configure --banner= --api=1.1.0 && make -s build_generated && gcc -E
-x c /dev/null -I include -DOPENSSL_API_COMPAT=0x010101000L -include
"include/openssl/opensslconf.h" -o /dev/null && echo "*** SUCCESS ***"
Configuring OpenSSL version 3.0.1 for target linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile
In file included from ./include/openssl/opensslconf.h:15,
from <command-line>:
include/openssl/macros.h:139:4: error: #error "The requested API level
higher than the configured API compatibility level"
139 | # error "The requested API level higher than the configured
API compatibility level"
| ^~~~~
It makes no sense to me that building OpenSSL with --api=3.0 provides
1.1.1 OPENSSL_API_COMPAT, while OpenSSL configured with --api=1.1.0
doesn't provide 1.1.1 OPENSSL_API_COMPAT, as --api should set the oldest
API supported.
What do you think ? Where is my misunderstanding ?
Regards.
--
Yann Droneaud
OPTEYA
More information about the openssl-users
mailing list